New Law Threatens Privacy

Another marathon political month ends with the US going in the opposite direction regarding consumer data from the EU.  This could end up being confusing to both consumers and advertisers.

The US Senate has passed a bill saying that ISPs can now monetize consumer data in the same way Google and Facebook do. This bill is headed over to the House for a vote. On the face of it, the bill actually equalizes rights, giving ISPs the same rights as platforms. The FCC Chairman who replaced Tom Wheeler has defined this as  part of net neutrality, although that’s not what net neutrality used to be.

““The federal government shouldn’t favor one set of companies over another — and certainly not when it comes to a marketplace as dynamic as the Internet,” said FCC Chairman Ajit Pai and FTC Chairman Maureen Ohlhausen in a joint statement. The two agencies will work together to achieve “a technology-neutral privacy framework for the online world,” they said. “Such a uniform approach is in the best interests of consumers and has a long track record of success.”

Several privacy advocate groups have, of course, come out against the new legislation, including the Electronic Frontier Foundation.

Americans have enjoyed a legal right to privacy from your communications provider under Section 222 of the Telecommunications Act for more than twenty years. When Congress made that law, it had a straightforward vision in how it wanted the dominate communications network (at that time the telephone company) to treat your data, recognizing that you are forced to share personal information in order to utilize the service and did not have workable alternatives.

Now Congress has begun to reverse course by eliminating your communication privacy protections in order to open the door for the cable and telephone industry to aggressively monetize your personal information.

Of course the EFF is an advocacy organization, but privacy groups have become very powerful. And we care about this because anything that makes consumers feel uncertainty about their personal information has a propensity to interfere with the advertising business model most publishers depend on.

We work closely with the Online Trust Association, which also saw this as a potential blow to consumers, and thus to the ad-supported business model, since privacy advocates are now saying ISP stands for “Information Sales for Profit.” As a platform, we neither hold nor track  consumer data, so we’re not directly involved. But we do have a dog in this hunt because we are strong supporters of free internet content that is ad-supported. We work with our partners to make better ads, so there can be fewer ads. We also work with our partners on brand safety in media buying.

We must take pains to maintain the highest ethical and privacy standards so we don’t entice consumers to download more ad blockers. Before this ruling, we had achieved stasis, and were moving on. Let’s do everything we can to keep going in the right direction for both publishers and advertisers, as well as for consumers.





OTA Comments on Proposed Data Breach Notification Legislation

As a member of The Online Trust Alliance (OTA), a global non-profit with the mission to enhance online trust and promote innovation, we take seriously the issue of online trust. There are now several federal data breach notification proposals wending their way through the legislature. OTA, because it represents over 100 other organizations, feels compelled to weigh in.

Here are  six key points and provisions  OTA believes are important considerations for an effective and balanced federal data breach notification law.

First, any federal data breach notification law must preempt the existing 47 state laws imposing a myriad of data breach notification obligations. State breach laws are a complex web of varied timing and notification requirements, and are a difficult mish-mash for an inter-state business to navigate during the challenge of responding to a data breach incident.

Second, any federal data breach notification law must contain a safe harbor from regulator penalties for those businesses or organizations that can demonstrate a commitment to the adoption of best security and privacy practices, provided they have been independently verified. While it is important to recognize there is no perfect security, OTA’s analysis of data shows that more than 90% of breaches that occurred in 2014 could have been prevented by adoption of best practices. A safe harbor for independently verified adoption of best practices would strongly encourage businesses to adopt best practices when they are most needed – in advance of a breach.

Third, any federal data breach notification law must contain a State right of enforcement. Similar to the Children’s Online Privacy Protection Act (COPPA) and the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), a state right of enforcement not only permits a state to protect its own citizens, but also allows states to complement the overburdened federal regulators by pursuing those companies and organizations that fail to live up to their data breach obligations.

Fourth, any federal data breach notification law must contain an appropriate coverage of personal information triggering notification. This is critical to ensure consumers are notified in a timely manner and for those breaches they need to know about, and are not over notified. If notifications become commonplace, consumers will get lost in the noise and likely not take appropriate action. Thus, the definition of what’s data is covered must be balanced and appropriate, must include paper records, and due to the common reuse of passwords by consumers across their numerous accounts – must include coverage for email/username address and password. A user’s email address and password are essentially the keys to their online kingdom, permitting access to social and financial websites, either directly or through a master account password reset.

Fifth, timely notice is critical to not only consumers, but also to regulatory authorities and law enforcement agencies. Businesses should be required to notify the FTC, FCC or other primary regulatory within seventy-two hours after discovering a breach involving covered data.

Sixth, any data breach legislation must permit businesses to share investigative forensics reports and related data with any law enforcement agencies investigating a breach. This sharing should not constitute a breach under the legislation nor impact any privilege or protections belonging to a business. Sharing forensic reports and data as soon as possible concerning a breach and attempted breach can be invaluable to help protect others and bring attackers to justice, and should be encouraged through appropriate protections in any data breach legislation.

We will be following this legislation through our active membership in OTA.